Google developed the QUIC protocol to increase the performance of HTTPS and HTTP (TCP 443 and TCP 80) connections. Chrome browsers have had experimental support for it since 2014 and it's also used in Chromium and Android devices.
QUIC connections do not require TCP handshakes. However, SSL inspection requires TCP session information. Because of this, Zscaler cannot examine QUIC sessions when users have SSL inspection enabled. When using QUIC, users might also experience certificate errors.
Zscaler best practice is to block QUIC. When it's blocked, QUIC has a failsafe to fall back to TCP. This enables SSL inspection without negatively impacting user experience.
Choose how to block QUIC based on how you are forwarding your traffic to Zscaler.
If you are sending your outbound internet traffic to Zscaler through a GRE or IPSec tunnel, you can effectively block QUIC by creating a Firewall Filtering rule. This blocks QUIC UDP flows and forces the browser to default to TCP 80/443.
If you are only sending Z App traffic to Zscaler (or leveraging remote users) create a block rule on the device firewall to block UDP 80 and 443. This is typically done by an IT admin and will be different for every organization.
If you are only sending TCP 80/443 over a tunnel to Zscaler, block QUIC on your branch firewall.
If your firewall is not listed, refer to your manufacturer's documentation for details on how to block QUIC.
As an alternate measure, you can also block QUIC in Chrome itself.
If you have administrator access for Google Apps, you can create a policy to block Chrome for all users. To learn more, see Google Chrome Enterprise Help. If you do not, you can still disable QUIC on individual machines.
Whenever Chrome is updated, the settings will revert to their default values and you need to disable QUIC again.
To disable QUIC on individual machines:
To create a service:
To create a policy:
To do this: